daniel/dotfiles
1
0
Fork 0
Code Actions Activity
dotfiles/container/webserver/config.nix

83 lines
2.1 KiB
Nix
Raw Blame History

{ secret, ... }:
{
# mosquitto
environment.etc."container-webserver/mosquitto/mosquitto.conf" = {
text = ''
listener 1883
password_file /mosquitto/config/users.conf
'';
mode = "0644";
};
environment.etc."container-webserver/mosquitto/users.conf" = {
text = secret.container.webserver.mosquitto.users;
mode = "0644";
};
# traefik
environment.etc."container-webserver/traefik/traefik.toml" = {
text = ''
[providers]
[providers.file]
directory = "/custom_config"
watch = true
[providers.docker]
exposedByDefault = false
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[certificatesResolvers.cfresolver.acme]
email = "${secret.container.webserver.traefik.config.acme.email}"
storage = "/acme.json"
keyType = "EC384"
[certificatesResolvers.cfresolver.acme.dnsChallenge]
provider = "cloudflare"
[api]
dashboard = true
'';
mode = "0644";
};
environment.etc."container-webserver/traefik/custom/middlewares.toml" = {
text = ''
[http.middlewares]
[http.middlewares.non-www-redirect.redirectRegex]
regex = "^https://www.(.*)"
replacement = "https://''${1}"
permanent = true
[http.middlewares.https-redirect.redirectScheme]
scheme = "https"
permanent = true
[http.middlewares.content-compression.compress]
[http.middlewares.very-low-request-rate.rateLimit]
average = 3
period = "1m"
[http.middlewares.security-headers.headers]
frameDeny = true
browserXssFilter = true
contentTypeNosniff = true
referrerPolicy = "no-referrer"
contentSecurityPolicy = "default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; font-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'self'"
'';
mode = "0644";
};
}
View git blame Copy permalink